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We claim: 

1. A method for constructing and caching a chain of file identifiers thayfepresent a 
full path to a file system resource comprising the steps of: 

retrieving a file identifier corresponding to the file system reso^ce which is the 
target of the access attempt and a file identifier chain for the dij^ctory of the target 
system resource; 

searching for the effectiye_s.ej:.urity^clas sification cate sjC^ry and defined name for 
the target resource file identifier; 

updating the security classification^ system, wh^n said search finds a security 
classification category for the target resource file identiiier; 

determining whether operations for the target file system resource could affect the 
file system name space; and 

terminating said method when oper^ion does not affect the file system name 

space. 

2. The method as described in cldim 1 wherein after said searching step, the security 
classification category is set to an i^classified category and the defined name is set to the 
path used in the file system resource access attempt when said security classification 
category search does not find^a security classification category. 

3. The method as described in claim 1 further comprising the step of flushing the a 
file identifier chain cache when there is a determination that desired operations on the 
target file system resource could affect the file system name space. 



25 4. The inethod as described in claim 1 further comprising before said file identifier 
(FID) retrij^al step the step of processing a system resources defined name (DN) and 
security/classification category into a mapping database which holds a FID to DN 
mapping. 
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5. The method as described in claim 4 wherein said database processing 
comprises: 

providing the defined name and security classification category as inputs;^ 
obtaining a file identifier (FED) for the defined name; and 
5 adding the FID to DN mapping containing the security classification category to 

the mapping database. 

6. The method as described in claim 1 wherein said searching s/cp comprises: 
searching the FID to DN mapping database for the securijy classification category 

10 for the FID of the target resource; and 

retuming the security classification category and defined name for the target FID, 
when a security classification category for the target FID was found during said search. 

7. The method as described in claim 1 wherein said searching step comprises: 
15 searching the FK) to DN mapping databas^for the security classification category 

for the FID of the target resource; 

retrieving a FID from the FID chain^ when the search does not find a security 
classification category for the FID of the target resource; 

searching the FID to DN mappirjg database for the security classification category 
20 for the FID of the FID chain; and 

retuming the security classi^cation category and defined name for the target FID, 
when a security classification category for the target FID was found during said search. 

8. The method as descrioed in claim 7 further comprising the steps of: 

25 determining whether more entries in the FID chain, when the search does not find 

a security classification/category for the FID used in the search; 
retrieving theliext FID in the FID chain; and 

searching the FID to DN mapping database for the security classification category 
for the currently^trieved FED of the FID chain. 
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9. The method as described in claim 8 further comprising the step of terminating the 
method when no security classification category is found for any FID in the FID chain. 
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10. The method as described in claim 3 wherein said flushing step comOTTses: 

retrieving the path name for the target resource, said path rjmne being to a 
directory for the target resource; 

obtaining a vnode for the directory; 

generating a FID for the directory using the vnode; 

searching for FID chain matching directory FID; and . 

removing FID chain from cache, when matching pZD chain is found. 



11. The method as described in claim 10 further comprising before said searching 
step the step of sorting the FID chains in the FID ^ain cache into hash list. 

15 12. The method as described in claini/U wherein said searching step comprises: 

retrieving the first FID chain in ther FID chain list; 

comparing each FED in said first FID chain to said directory FID; 

determining whether there aj?e more FID chains in the list, when said FID chain 
did not match said directory FID; 
20 retrieving the next FID chain in the FID, and 

returning to said comparing step using newly retrieved FID chain. 



13. The method as described in claim 11 wherein said searching step comprises: 
retrieving the fivii FID chain in the FED chain list; 
25 comparing cam FID in said first FID chain to said directory FID; 

determining^ whether there are more FID chains in the list, when said FID chain 
did not match said directory FID; and 

terminaxing method when no FID chain is found. 
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14. A computer program product in a computer readable medium for use ih 
constructing and caching a chain of file identifiers that represent a full path to file 
system resource comprising: 

instructions for retrieving a file identifier corresponding to the fil^ system 
5 resource which is the target of the access attempt and a file identifier cjAaxn for the 
directory of the target system resource; 

instructions for searching for the effective security classificajfon category and 
defined name for the target resource file identifier; 

instructions for updating the security classification system^A^hen said search finds 
10 a security classification category for the target resource file identifier; 

instructions for determining whether operations for tip target file system resource 
could affect the file system name space; and 

instructions for terminating said method when /Operation does not affect the file 
system name space. 
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15. The computer program product as des6ribed in claim 14 further comprising 
instructions for flushing the a file identifier /hain cache when there is a determination 
that desired operations on the target file ^system resource could affect the file system 
name space. 



16. The computer program product as described in claim 15 wherein said flushing 
instructions comprise: 

instructions for retrievjffig the path name for the target resource, said path name 
being to a directory for the tm-get resource; 
25 instructions for obtaining a vnode for the directory; 

instructions foi/generating a FID for the directory using the vnode; 

instructions/ior searching for FID chain matching directory FID; and 

instructi^s for removing FID chain from cache, when matching FID chain is 

found. 
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17. The computer program product as described in claim 14 wherein said searchjng 
instruction comprises: 

instructions for searching the FID to DN mapping database for the/&ecurity 
classification category for the FID of the target resource; 

instructions for retrieving a FID from the FE) chain, when the se^ch does not 
find a security classification category for the FID of the target resource; 

instructions for searching the FID to DN mapping databas^ for the security 
classification category for the FID of the FID chain; and 

instructions for returning the security classification categot^ and defined name for 
the target FID, when a security classification category for Jne target FID was found 
during said search. 
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18. The computer program product as described ir/claim 17 further comprising the 
steps of: 

instructions for determining whether mori^ entries in the FID chain, when the 
search does not find a security classification category for the FID used in the search; 
instructions for retrieving the next FII)4n the FID chain; and 
instructions for searching the FID" to DN mapping database for the security 
classification category for the currently r^rieved FID of the FID chain. 

19. The computer program prodjict as described in claim 18 further comprising before 
said searching instructions, instructions for sorting the HD chains in the FID chain cache 
into hash list. 



25 20. The computer program product as described in claim 19 wherein said searching 
instruction comprises: 

instructions foryfetrieving the first FID chain in the FDD chain list; 

instructions ft/r comparing each FID in said first FID chain to said directory PTD; 

instruction/ for determining whether there are more FID chains in the list, when 
30 said FID chain dip not match said directory FID; and 

instructions for terminating method when no FID chain is found. 
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21. The method as described in claim 1 wherein said file identifier retrieval step 

comprises: / 

retrieving the path name of the file resource which is the target of/tne access 

attempt; / 
5 obtaining a FID for target resource with said path name; / 

determining whether obtained FID is in a FID chain; and / 
returning the target FID and FID chain, when the targej/resource FID was found 

in the FID Chain Cache. / 

10 22. The method as described in claim 21 fiirthef comprising after said path name 
retrieval step, the step of obtaining vnodes for the t^get path and parent directory. 

23. The method as described in claim A wherein said file identifier retrieval step 
comprises: / 

15 retrieving the path name of rtafe file resource which is the target of the access 

attempt; / 

obtaining a FID for targej^esource with said path name; 

determining whether obtained FID is in a FID chain; and 

constructing a PTEV^yiain for the parent directory, when no FID chain in found. 

20 / 

24. The method/as described in claim 23 wherein said FID chain construction 
comprises: / 

settins/a temporary vnode to equal the vnode for the parent of the target resource; 
detmnining whether the temporary vnode is the root directory; 
25 icfserting FID chain into FID chain cache with the first FID in the chain serving as 

the enjffy search key, when temporary vnode is the root directory. 
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25. The method as described in claim 23 wherein said FID chain cons^ction 
comprises: 

setting a temporary vnode to equal the vnode for the par^ of the target 

resource; 

5 determining whether the temporary vnode is the root directoj^; 

retrieving a vnode for the next parent in the direct^^ path and determining 
whether that parent is the root directory; 

repeating said retrieving step until parent is the rp6t of the directory. 

10 26. The method as described in claim 25 fui^lner comprising the step of inserting a 
completed FED chain into the FID chain cachey^hen the parent is the root directory. 
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27. A computer connectable to a cWstributed computing system which includes file 
system objects containing informatic^ accessed during the execution of application and 
system programs comprising: 

a processor; 

a native operating sysfem; 
application programs; 

an external authorization program overlaying said native operating system and 
augmenting standard /ecurity controls of said native operating system; 

a cache storage location for store file identifier chains which represent paths to 
system resources; said cache providing for faster searches of file identifiers. 

an acc/ss decision component within said external authorization program for 
determining/access to protected file system objects. 

28. The method ^describeiliti claim 1 wherein said method is implemented through 
the use of extemallV sk^d attributes, said attributes being security rules for system 
resources and totJfei^ comprising the step of attaching security rules of a directory to all 
files in saidairectory. 



